GENERALISED SIFTING IN BLACK-BOX GROUPS 



SOPHIE AMBROSE, MAX NEUNHOFFER, CHERYL E. PRAEGER, AND CSABA SCHNEIDER 

Abstract. We present a generalisation of the sifting procedure introduced originally 
by Sims for computation with finite permutation groups, and now used for many com- 
putational procedures for groups, such as membership testing and finding group orders. 
Our procedure is a Monte Carlo algorithm, and is presented and analysed in the context 
of black-box groups. It is based on a chain of subsets instead of a subgroup chain. Two 
general versions of the procedure are worked out in detail, and applications are given for 
membership tests for several of the sporadic simple groups. 

Our major objective was that the procedures could be proved to be Monte Carlo algo- 
rithms, and their costs computed. In addition we explicitly determined suitable subset 
chains for six of the sporadic groups, and we implemented the algorithms involving these 
chains in the GAP computational algebra system. It turns out that sample implementa- 
tions perform well in practice. The implementations will be made available publicly in 
the form of a GAP package. 



1. Introduction 

We generalise a sifting procedure introduced originally by Sims Section 4] (see 
also 16, Section 2] and ^1 Chapter 4]) for computation with permutation groups. Our 
version is given in the context of black-box groups, and is based on a chain of subsets 
rather than a subgroup chain. The essential ingredient is a scheme for sifting a group 
element g down a descending chain 

(1) Go = 5o D 5i D ■ ■ ■ D 5, 

of non-empty subsets of a subgroup Gq of a finite group G. The sifting procedure seeks 
elements sq, . . . , G Go such that, for each i < k, SiSi C Si and gso ■ ■ ■ Si G Si+i, in 
addition gso ■ ■ ■ Sk-iSk = 1, and Sk or its inverse lies in Sk- In many instances the Si will 
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lie in Si, but this is not required in general. (Conditions on membership for the Si are 
given in Definition 14. II f 

A major objective of this work is to give a careful presentation of a randomised gen- 
eralised sifting algorithm with an analysis that proves a guaranteed upper bound on the 
probability of failure and provides an estimate of the complexity in terms of the input 
size. We present our results in a sequence of steps. This 'modular' approach enables us 
to focus in our exposition on the new concepts and methods introduced at each stage. 
First we present in Section |3] a skeleton version of the generalised sifting algorithm Sift 
that involves a sequence of basic modules, namely various versions of a procedure called 
BasicSift, for which only the input and output requirements are given explicitly. We 
prove in Theorem 14.21 that the algorithm SiFT is a Las Vegas algorithm. 

Next, in Sections El and El we present more details of the versions of BasicSift we 
have developed, and prove in Theorems 15.31 and 15.61 that for these versions, BasicSift 
is a Monte Carlo algorithm. This exposition of BasicSift is given in terms of a generic 
membership test IsMember for which only the input and output requirements are given 
explicitly. Note that the BasicSift modules will often be Monte Carlo algorithms with 
a non-zero probability of returning an incorrect result. However the complete algorithm 
Sift is a Las Vegas algorithm since we can test with certainty that, for our output element 
X = So . . . Sk, the element gx is equal to the identity. (See Definition 13.41 for a discussion 
of these types of algorithms.) 

In Section 13 we introduce a version of IsMember based on random conjugates. It was 
this version that inspired the development of the conceptual framework presented in the 
paper. The idea can best be understood by briefiy considering the following special case. 
Suppose that a finite group G has a chain of subgroups 

(2) G = Ho>Hi>--->Hk = {1g} 

and that a G Hk-i \ {1} is such that, for each i, the subset a'^ fl Hi of a-conjugates lying 
in Hi forms a single ifj-conjugacy class a^'. Then for x E G, the conjugate lies in Hi if 
and only if = for some h G Hi, and, in turn, this holds if and only if xh~^ G GGia)- 
Thus G Hi if and only if x G GG{a)Hi, that is to say, a membership test for to lie 
in the subgroup Hi is equivalent to a membership test for x to lie in the subset GG{a)Hi. 
Development of this idea to handle the general case where the subsets a*^ fl Hi split into 
several ifj-conjugacy classes led to the theory presented in Section [71 
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In Section IHl we give full details of a version of IsMember that relies on element orders. 
For the corresponding version of BasicSift we are then able to provide in Corollarv 18 ■2[ 
our most comprehensive complexity estimate. 

Before presenting the theoretical details we give a worked example of our algorithm 
for the Higman-Sims sporadic simple group in Section |21 This example was chosen to 
illustrate most of the methods that will be developed in the paper. 

The original motivation for this research stems from the matrix group recognition 
project, see [HI 112], and in particular the need to recognize constructively all quasi- simple 
matrix groups over finite fields. The usual approach has been to design algorithms for rec- 
ognizing finite quasi-simple groups by their intrinsic properties as abstract groups rather 
than building different algorithms for each of their different matrix representations. This 
has resulted in the development of recognition algorithms for most of the almost simple 
groups represented as black-box groups (see [HIS 111130 CHI)- A black-box group is one in 
which the elements are represented (possibly non-uniquely) as binary strings of bounded 
length and in which we can perform the following operations (and only these): we can test 
whether two given strings represent the same group element, and we can produce strings 
representing the inverse of a given element, and the product of two given elements. In this 
paper we give algorithms that involve only these 'black-box operations' of equality tests, 
extracting inverses, and multiplying group elements. Thus our algorithms are black-box 
algorithms. 

We are aware of the impressively successful practical algorithms of [H] for recognizing 
sporadic groups based on the theory of involution centralisers. However, there seemed 
to be no framework available to analyse the probability of completion or the cost of 
these algorithms. Our motivation was based on both experience and hope: experience 
with developing recognition algorithms for finite symmetric and alternating groups in 
m |2| complete with proofs and complexity analyses; and hope that the ideas of Charles 
Sims could be made effective for black-box groups, where information needed about a 
permutation or matrix action must be derived from purely group theoretic properties. 
Success in computing with some of the sporadic simple groups suggested that our new 
approach would provide an alternative method for recognizing and computing with these 
groups. We believe that we have been successful, both theoretically and in practice. The 
algorithmic framework presented in this paper offers an effective and convenient means of 
analysing membership tests for sporadic simple groups and other groups, providing proofs 
of completion probability and complexity. The framework offers flexibility in choice of 
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subset chains and types of the basic sifting procedures. Exphcit examples of the algorithms 
have been developed and implemented for several of the sporadic groups and perform very 
well in practice. In Section^] we summarise the information about these examples and 
also present some details concerning the implementations of the procedures presented in 
this paper. We emphasise that all groups that occur in this paper are finite. 

2. Generalised sifting: an example 

The aim of this section is to explain our approach using the example of the Higman-Sims 
group HS. We think of HS as a group given to us in its most natural representation, that 
is, a group of permutations with degree 100. Throughout this section we use various facts 
concerning HS, and the validity of these facts can easily be checked using the Atlas [7j, 
or a computer algebra package, such as GAP [8 or Magma [3^. In order to describe 
subgroups of HS we use the notation introduced in the Atlas. 

Suppose that a, b are standard generators in the sense of jTTj for HS given on the 
Atlas web site Assume that G is a black-box group isomorphic to HS and x,y are 
standard generators for G obtained using the procedure described in the online Atlas jTSj . 
Then the map a \—>- x, b ^ y can be extended in a unique way to an isomorphism 
(/9 : HS — > G. Since HS is a permutation group, it is possible to compute, using the 
Schreier-Sims Algorithm, a base and a strong generating set for HS. Using them, a 
permutation in HS can efficiently be written as a word in a, b. Thus, if m G HS then 
as a word in x and y, can be computed efficiently. The constructive recognition of 
the black-box group G requires us to perform the opposite process: given g & G, we must 
find an element m G HS such that (f{u) = g. This is equivalent to writing the element g 
as a word in x and y. 

In order to complete our task, we specify some (precomputed and stored) elements and 
subgroups in G. We use the following important convention: 

every element we introduce in G from now on will be expressed as a word in 
X, y. Similarly, every subgroup of G we use will be given with a generating 
set, and each generator in this set is assumed to be a word in x, y. 

Let Li be a maximal subgroup of G isomorphic to U3{5).2. A generating set for such 
a subgroup can be found by computing a generating set for a maximal subgroup in HS 
isomorphic to f/3(5).2, and mapping the generators into G using (p. In the same way, we 
find a maximal subgroup L2 in Li isomorphic to 5^^^ : (8:2). Let L3 be a cyclic subgroup 
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of L2 of order 8 in a complement 8 : 2 for 5^+^. To be consistent with the notation to 
be introduced in later sections of the paper we will denote a generator of L3 by a. We 
emphasise that this element a lies in L3 and is not a standard generator of HS. Let a be 
an element of order 8 in L3, and set L4 = 1. The four generators of L3 are all conjugate 
to each other in G and in Li; they fall into two conjugacy classes of L2, and they are 
pairwise not conjugate in L3. Thus there are elements ti G Li, ^2, ^3, ^4 ^ -^2 such that 
a^r]L2 = U a*i^^ a^^ H L3 = {a,a*2} and a*^^^ n L3 = {a^^^^ , a^^^^} . Set T2 = {l,ti}, 
% = {I,t2,tit3,tit4}, and 7; = {1}. 

We therefore have a chain of subgroups 

G ^ Li ^ L2 ^ L3 ^ L4 = 1, 
with \G : Lil = 176, |Li : L2I = 126, IL2 : L3I = 250, IL3I = 8. 

2.1. Sifting g E G into the first subset: element orders. Let g E G. If we were to 
perform Sims's usual sifting procedure, we would look for an element hi E G such that 
ghi E Li. The probability that a random hi satisfies this property is = 1/176. 
What we do instead is as follows. Let Gi = Gcia). We look for an element hi E G 
such that ghi E GiLi. As |Ci| = 16 and \Gi fl Li| = |CL^(a)| = 8, the probability that 
ghi E GiLi, for a random hi, is \GiLi\/\G\ = 2|Li|/|G'| = 1/88. 

In order to make this work, we must have a membership test for GiLi. Since 
a*^ n Li = a^i, we have, as explained in the introduction, that, for u E G, u E GiLi 
if and only if a" E Li. Thus to obtain a membership test for GiLi, we only need to 
design a membership test for Li. Let u E G, and let Xi be a generating set for Li; set 
Xi = Xi U {u}. It is clear that u E Li if and only if (Xi) = {Xi). Now about one quarter 
of the elements of G have order 15 or 11, but no element in Li has order equal to one 
of these numbers. Hence we select random elements in {Xi^ If such a random element 
has order 11 or 15, then we conclude with certainty that u ^ Li. If, however, after many 
random selections we do not find an element with order 11 or 15, then we may say that 
u E Li with a certain high probability. This can be formulated to give a one-sided Monte 
Carlo membership test for CiLi; see Section |H] for details. 

2.2. Sifting ghi into the second subset: random conjugates. The intersection 
a^^ n L2 is the union of two conjugacy classes in L2, namely a^'^ and a^^^^ where ti E Li 
and we set 7^ = {1, ti} as above. Let G2 denote the set Gg{ci)T2- As L2 ^ Li and 7^ C Li, 
we have G2L2 C GiLi. Now we seek an element /12 E Li such that ghih2 E G2L2. We will 
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call an element /i2 G Li 'good' if and only if ghih2 G C2L2, or equivalently, if and only 
if a^^^^^ G L2. If /i2 is a uniformly distributed random element of Li and ghi G CiLi, 
then uniformly distributed random element of the conjugacy class a^^. For 

each X G fl L2 there are |Cii(a)| choices for /i2 G Li such that Therefore 
the total number of 'good' elements is |a^^ fl L2||CLi(a)|, and so the probability that /i2 
is 'good' is \a^^ nL2\\CL,{a)\/\Li\ = \a^' D L2\/\a^''\ = 500/31500 = 1/63. 

In order to test whether a^^^^"^ G L2, recall that L2 is isomorphic to 5^"*"^ : (8 : 2). 
A deterministic membership test for L2 can easily be designed using the fact that 
NciZib^^'^)) = L2 where Z{5^^^) = (b) is the centre of 5^+^: namely, to test whether an 
element x E G lies in L2 simply test whether G {6, 6^, b^, 6^}. 

2.3. Sifting ghih2 into the third subset. The group L3 is cyche with order 8. Set 
C3 = CG{a)T3 where % = {1, ^2, ^1^3, ^1^4}- As 7^ C T2L2, we obtain C3L3 C C2L2. We 
look for an element G L2 such that, given ghih2 G C2L2, we have g'/ii/i2^3 G C^L^. Us- 
ing the definition of Tj, we obtain that, given ghih2 G C2L2, the condition 51/11/12^3 G C3L3 
holds if and only if as'^i'^^/is ^ Arguing as for the previous case, the proba- 

bility that, given ghih2 G C2L2, a random h-^ G L2 yields 5'/ii/i2^3 G C3L3 is at 
least min ||a^2 Pi /^g|/|Qi'2UQti^-2 Pi ^g|^|Qtii2||^ jg easy to compute that this num- 
ber is 2/250 = 1/125. At the end of this process we have with high probability that 
^gfti/12/13 g Qt2^ a*^*^, a*^*"'}. Therefore after a number of equality tests we obtain a word 
w in X, y such that (^w G C4 where C4 = (70(0.). As |CG(a)| = 16, using the map tp, it is 
easy to compute each element of Cg{(i) as a word in x, y. Then comparing gw against 
the elements of Ccia), it is now easy to express g as a word in x, y. 

Thus the main ingredients of this process are a descending chain of subgroups {Li}f^i, 
a sequence of subsets {Ci}f^^ defined in terms of the centraliser of the element a, and the 
sequence of subsets where we take Ti = {1}. Our sifting procedure progressed 

through the following descending chain of non-empty subsets: 

G D CiLi D C2L2 D C3L3 D C4; 

the final step was a series of equality tests with the elements of C4. 

3. A SMALL TOOLBOX 

In this section we collect several results that we need in our proofs. For an event 
E, Prob(£') denotes the probabihty of E. For events A and B, Proh{A\B) denotes the 



GENERALISED SIFTING IN BLACK-BOX GROUPS 



7 



probability of A, given that B holds. We recall that Prob{A\B) = Prob(y4 n i?)/Prob(i?). 
The following result from elementary probability theory will often be used in this article. 

Lemma 3.1. If A, B, C are events such that C ^ B ^ A, then 

Prob(C|A) = Prob(C|E) ■ Proh{B\A). 

Proof. As B = BnA and C = CnB = CnA, we obtain 



Lemma 3.2. If0^x<l, then log((l — x) ^) ^ x. 

Proof. Observe that the function f{x) = x — log((l — x)^^) is strictly decreasing for 
^ X < 1 and /(O) = 0. 

The following is a general version of Dedekind's modular law. Its proof can be carried 
out following that of O 1.3.14]. 

Lemma 3.3. // U and V are subsets and Z is a subgroup of a group such that VZ C V 
then {Vr\U)Z = vn{uz). 

In this paper we use several types of randomised algorithms, that is, algorithms that 
involve a random choice at some point, so that they do not behave in the same way every 
time the algorithm is run. We also use algorithms which involve no random choices, that 
is, deterministic algorithms. We collect together here the definitions of these types of 
algorithms. To aid our exposition we give slightly different definitions of these algorithm 
types than normal, and we comment on the differences below. 

Definition 3.4. (a) Let £ be a real number satisfying ^ e < 1/2. A Monte Carlo 
algorithm with 'error probability' e is an algorithm that always terminates after a finite 
number of steps, such that the probability that the algorithm gives an incorrect answer 
is at most e. 

(b) A one-sided Monte Carlo algorithm is a Monte Carlo algorithm which has two types 
of output (typically 'yes' and 'no'), and one of the answers is guaranteed to be correct. 

(c) A Las Vegas algorithm with 'failure probability' e (where ^ £ < 1/2) terminates 
after a finite number of steps and either returns an answer, or reports failure. An answer. 



Prob(C|5) ■ Prob{B\A) 



Prob(Cn5) Prob(finA) 
Prob(5) Prob(A) 
_ Prob(Cn A) Prob(5) 
~ Prob(5) ' Prob(A) 



Prob(Cnv4) 
Prob(A) 



Prob(C|A). 
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if given, is always correct, while the probability that the algorithm reports failure is at 
most e. 

(d) For the purposes of this paper, a deterministic algorithm is a Monte Carlo algorithm 
for which the 'error probability' e is 0, or equivalently, a Las Vegas algorithm for which 
the 'failure probability' e is 0. 

Note that our definitions of Monte Carlo and Las Vegas algorithms vary from the usual 
ones in that we allow e to be zero. The reason for this is that some versions of our 
BasicSift algorithm may be deterministic, that is, have zero probability of failure or 
of returning an incorrect answer. For ease of exposition we decided to treat such an 
algorithm as a special case of a Monte Carlo or Las Vegas algorithm. 



4. The generalised sifting algorithm 

In this section we present an algorithm for sifting an element (? of a finite group G down 
a (given and precomputed) descending chain ((T)) of subsets of a subgroup Gq of G. The 
algorithm returns either FAIL, or a word x = Sq • • • G Gq such that gx = 1, SiSi C Si 
for each i < k, and Sk or its inverse lies in Sk- If (? G Go, then (see Theorem I4.2|l the 
probability that the algorithm returns Fail is proved to be at most some pre-assigned 
quantity e. Usually the Sj are returned as words in a given set Y of generators for Gq, 
or as straight line programs from the given generating set Y. The algorithm is applied in 
one of the following contexts. 

(1) The element g is known to lie in Go and the purpose of the algorithm is to express 

as a word in a given generating set. In this context. Theorem 14 . 2 1 proves that the 
algorithm fails with probability at most e, for some pre-assigned non- negative real 
number e < 1/2. Hence, in this context. Algorithm^ is a Las Vegas algorithm. 

(2) We only assume that g E G, and the aim is to discover whether or not g lies in Go. 
In this context. Theorem 14. 21 proves that if the algorithm returns an expression for 
g, then g must lie in Go- On the other hand, if the algorithm returns Fail then 
the element g may or may not lie in Go- Moreover, if G Go, then the probability 
that the algorithm will return FAIL is less than some pre-assigned real number e 
where ^ e < 1/2. Hence, in this context (if we interpret the result Fail as a 
finding that g ^ Go), Algorithm^ is a one-sided Monte Carlo algorithm. 
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In either case we allow the probability bound e to be zero, and in this situation the re- 
sulting algorithm is deterministic. The basic building block for our algorithm is described 
in the following definition. 

Definition 4.1. A 4-tuple (Go, H, K, BasicSift) is said to satisfy the basic sift condition 
in a group G, if the following hold: 

(a) G is a finite group with a subgroup Go; 

(b) H and K are non-empty subsets of Go such that either K = {1} oi K (Z H; 

(c) BasicSift is a Monte Carlo algorithm whose input is a pair {g,e), where g E G 
and e is a non-negative real number. It satisfies the following condition, either for 
all inputs ((7,0) (in which case it is a deterministic algorithm), or for all inputs 
{g,e) with < £ < 1/2. The output y is either Fail, or an element of Gq such 
that Hy <Z H (if K d H) or y-^ e H (if K = {1} <;t H). Moreover, if g e H , 
then Prob(|/ = Fail, or (y E Gq and gy ^ K)) ^ e. 

To avoid confusion we comment on the formulation of the condition in Definition 14.11 
(c). Note that H is in general not a subgroup, and hence Hy C H, for y E G, does not 
imply that either of y or y~^ lies in H. After considering many special cases, we realised 
that the set inclusion Hy C H was the appropriate requirement. 

Suppose that G is a finite group with a subgroup Go and 

Go = So D Si D ■ ■ ■ D Sk-i D Sk 

is a chain of non-empty subsets of G, and set Sk+i = {!}■ Suppose further that, for 
i = 0,. . . ,k, BASlcSlFTj is an algorithm such that (Go, Si, Si+i, BASlcSlFTj) satisfies the 
basic sift condition in G. Then there is db Lets Vegas algorithm that, for a given g E G, 
returns either 'failure' or an element soSi ■ ■ ■ Sfc of Go such that SiSi C Si for each i < k, the 
element Sk or its inverse lies in 5*^, and gsoSi ■ ■ ■ Sk = 1- Indeed, as shown in Theorem 14. 2| 
Algorithm ^ has this property. 

Theorem 4.2. Suppose that G, Go, ^o, . . . , Sk+i, and BasicSifto, . . . , BasicSift^ are 
as in the previous paragraph, and let Sift denote Algorithm^ Let g E G and eo, ■ ■ ■ ,ek 
be non-negative real numbers such that Yli^i < 1/2- Then the following hold. 

(i) // SlFT{g, {eo, ■ ■ ■ ,ek)) returns a group element x, then g = x^^ G Go and 
X = SoSi ■ ■ ■ Sk, where SiSi C Si for each i G {0, 1, . . . , A; — 1}, and Sk G 5*^ if 
Sk contains 1, while s^-^ G Sk otherwise. 
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Algorithm m SiFT 

/*see Theorem 14.21 for notation */ 

Input: g E G and (^o, ■ ■ ■ ,£k) with Si ^ and < V2; 

Output: either x = Sq ■ ■ ■ with SiSi C Si for i < k and gx = 1, or Fail; 

set X = 1; 

for i = to k do 

set Si = BASlcSlFTj(5(x, ej); 

if Si = Fail then 
return Fail 

else 

set X — XSi 

end 
end 

if gx 1 then 

return FAIL 
else 

return x 

end 

Algorithm 1: The generalised sift algorithm 

(ii) The conditional probability that SlFT{g,{eQ, . . . ,ek)) returns Fail, given that 
g G Gq, is at most J2i hi- 
proof, (i) Suppose that a group element x = sqSi . . . Sk is returned. Then the Si are 
group elements computed as in Algorithm ^ From Definition 14.11 (c), since each Si is a 
group element, we have that SiSi C Si for each i E {0,1, . . . , k — 1}, and also for i = k ii 
1 G Sk, while if 1 ^ S^, then s^^ G S^- Further, if 1 G Sk, then SkS^ contains Sk, and hence 
Sk contains Sk- Finally, for each i, Sj lies in Gq since the algorithm BASlcSlFTj involves 
random selections from the group Gq. Moreover, by the last if statement of Algorithm 
we have gx = 1 so that g = x~^ G Go- 

(ii) Let Eq denote the event that g G Gq, and recall that Gq = Sq and Sk+i = {1}. 
For each i = 1, . . . ,k, let Ei denote the event that the i-th execution of the for loop in 
Algorithm Q] is attempted, is successful and returns a correct answer. In other words, 

Ei : Ei^i holds, SjSj C 5*^ for all j = 0, . . . , i — 1, and gso . . . G Si. 
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Also define Ek+i to be the event that the final execution of the for loop is attempted, is 
successful and returns a correct answer. That is, 

Ek^i : Ek holds, SjSj C Sj for all j = 0, . . . , A; — 1, and gso ■ ■ ■ Sk = I- 

Then the probability that Algorithm ^ returns x = SqSi . . .Sk with SiSi C Si for all 
i = 0, . . . , A; — 1, and gx = 1, given that g G Gq, is, by definition, Prob(£'fc+i | Eq). 

Now Ek+i ^ Ek '^^ ■ ■ ■ ^ Eq, and hence by several applications of Lemma f3.H we have 
that Prob(£'fc+i I Eq) = H^Lo P'^oh{Ei^i \ Ei). Since (Gq, Si, S'^+i, BASlcSlFTj) satisfies the 
basic sift condition in G for each i = 0, . . . , k, Prob(-E'j+i | Ei) ^ l—Si for each i = 0, . . . , k. 
Hence 

k 

Prob{Ek+i\Eo) ^ n^^-^^)- 

i=0 

Since ^ < 1 for all i, we have Ylii^ ~ ^i) ^ 1 — Yli (^^^ induction on k), and hence 
the required probability in part (ii) is at most '^i£i- ■ 

Algorithm ^ allows different types of algorithms to be used for different links of the 
chain. For example, if Sk is small, then BasicSift^ relies sometimes on nothing more 
than an exhaustive search through the elements of 5*^ with the parameter = 0. Two 
special types of BasicSift algorithms are described in detail in Sections [7| and |H1 We 
first explore their common properties as one-sided Monte Carlo algorithms in Sections El 
and El 

5. BasicSift: a general approach 

In this section we present a general approach to designing a 4-tuple that satisfies the 
basic sift condition. The results of this section will become relevant in the discussion of 
the two algorithms in Sections [71 and |H1 We will use one of the general methods given in 
this section in nearly all cases when we wish to sift an element of Si into the next subset 
5*4+1 in a subset chain ((T)). The exceptional case occurs when I ^ Si and Si+i = {Ig}, 
and, as we mentioned at the end of the previous section, in this exceptional case we would 
typically use an exhaustive search through Si to find the required 'sifting element'. 

Our general approach assumes that we are able to test membership in each of the Si 
and to select a uniformly distributed random element from some subset 'related to' Si in 
the chain ((H); see Section |21 for examples. 
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Definition 5.1. A 4-tuple {Gq, H, K,1sMember) is said to satisfy the membership test 
condition in G if the following hold: 

(a) G and Gq are finite groups such that Gq ^ G; 

(b) H and K are non-empty subsets of Gq such that H D K. 

(c) IsMember is a one-sided Monte Carlo algorithm whose input is a pair [y, e) , where 
y & G and e is a non-negative real number. It satisfies the following condition, ei- 
ther for all inputs (y, 0) (in which case it is a deterministic algorithm), or for all in- 
puts (y, e) with < e < 1/2. The output is either True or False, and moreover, 
ify G K then the output is True, and also Proh{output is True | y G H\K) ^ e. 

Note: For an enhanced version of an IsMember test giving back additional information 
for later use consult the examples for Mn and Ly in Section fTUl 

We show that if a 4-tuple {Gq, H, K, IsMember) satisfies the membership test condition 
in a group G, then we can design an algorithm BasicSift such that {Gq, H, K, BasicSift) 
satisfies the basic sift condition in G. As mentioned above, we assume that we can select 
uniformly distributed random elements from some subset L of G 'related to' the subset 
H. The most general conditions that the subset L must satisfy are given in the following 
definition. 

Definition 5.2. Suppose that G is a finite group and H, K, L C G. We say that 
{H, K, L) is a sifting triple if 



The reason why we introduce the subset L in a sifting triple is that it is rarely possible 
to make random selections from arbitrary subsets of G, such as H, but we can often make 
random selections from subgroups. Thus one choice for L is a subgroup satisfying 
Moreover we can sometimes obtain a more efficient algorithm by restricting to a 'nice 
subset' L of such a subgroup, provided that we can still make random selections from L. 
Sometimes this is possible simply because L is small enough to hold in the memory. In 
that latter case we do not have to perform a random search, but can use an exhaustive 
search. This is analysed in Section 

If {H, K, L) is a sifting triple then the number 



(3) 



HL C H, and, for all /i G if, HLnK ^ 0. 



p{H,K,L) 



= mm 



HLnK 
\L\ 
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is called the sifting parameter. We note that the definition of a sifting triple implies 
that p{H, K, L) > 0. The sifting parameter plays an important role in estimating the 
complexity of Algorithm Q 

5.1. A BasicSift algorithm using random search. 



Algorithmic! BasicSiftRandom 
/*See Theorem 15.31 for notation */ 

Input: {x,e) where x E G, and < e < 1/2; 
Output: y, where either y = FAIL, or y E S; 



set n = 0; 
repeat 

set y = RandomElement(L); 
if IsMember (xy, e) then 

return y 
end 

set n = n + 1 
until n ^ N; 

/*at this stage, none of the elements y has been 

returned during the for-loop */ 
return FAIL 



Theorem 5.3. Suppose that {Gq, H, K, IsMember) satisfies the membership test condi- 
tion in a group G and that L is a subgroup of Gq such that {H, K, L) is a sifting triple. If 
RandomElement(L) returns uniformly distributed, independent random elements of L, 
and BasicSift is Algorithm\^ then the A-tuple {Gq, H, K, BasicSift) satisfies the basic 
sift condition in G. Moreover the cost of executing BasicSiftRandom(-, e) is at most 




if IsMember is deterministic 

ep/(2{l—p)) otherwise ' 

[log(£) / log(l — p) ] if IsMember is deterministic 
[log(£/2)/log(l — p) ] otherwise 



Algorithm 2: A BasicSift algorithm using random search 



0{\og{e-')p-' (e + f? + z/(e))), 
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where p = p{H, K, L) and g, C, and z/(e) are upper bounds for the costs of a group operation 
in G, a random selection from L, and one run of the procedure IsMember(-, e), respec- 
tively, where e = if IsMember is deterministic, and e = ep{H, K, L)/(2 — 2p{H, K, L)) 
otherwise. 

Proof. If a group element y is returned then, by Q, Hy C HL C H. 

Let E denote the event that "the output of the procedure is either Fail or an element 
y with xy ^ K" . We are required to show that Prob(i?|a; E H) ^ e. Suppose that 
X E H. For i = 0, . . . , N — 1, let Ei denote the event "the {i + l)-th execution of 
the procedure RandomElement occurs"; let yi denote the element y returned by the 
{i + l)-th execution of RandomElement, and let Zi denote the result returned by the 
call to IsMEMBER(x?/j, e). If Ei does not occur for some i then the values of and Zi are 
undefined. The event Ei is the disjoint union of the following three events: 

Ki : Ei and xyi G K; 

Fi : Ei and xyi ^ K and Zi = False; 

Ti : Ei and xyi ^ K and Zi = True. 

Note that Ei occurs if and only if, for each j < i, the event Ej occurred and zj = False, 
that is to say, Ei = FqC] - ■ -Fj_i. Similarly, given, x E H, the event E occurs if and only 
if either Fq fl Fi fl ■ ■ ■ fl -F/v_i occurs, or, for some i, each of Ei, . . . ,Ei occurs, xyi ^ K 
and Zi = True. 

Suppose now that x & H, and let y G L such that xy K. Then by (jH)), G HL C H, 
and hence xy G H\K. By the definition of the membership test condition, the conditional 
probability Cq that the returned value of IsMEMBER(a;|/, e) is True, given that xy G H\K, 
satisfies ^ cq ^ e. 

Let p denote the sifting parameter p{H, K, L). Since we are making independent uni- 
form random selections, we have, for each i ^ N — 1, that the probability Prob{Ki\Ei) is 
independent of i, and also that 

^ , , ^ X \xLnK\ 
Prob{Ki\Ei) ^ L__A^p, 

Set po = Proh{Ki\Ei). Then, using the rule Prob(v4 n B\C) = Proh{A\B f] C)Prob(5|C), 
Prob{Fi\Ei) = Proh{xyi ^ K\Ei) ■ Proh{zi = False | Ei and xyi ^ K) = {1 - po){l - eo) 
with Co as defined above, and similarly Prob{Ti\Ei) = (1 — po)eQ. 
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The procedure finishes when processing the i-th. random element yi if it has not finished 
while processing yj for any j < i, and either Ki or Tj occurs. In this situation, if Ki occurs, 
then by the requirements of the membership test condition, the procedure will return y^ 
with xyi G K; similarly, if Tj occurs, then again the procedure will return yi, but this time 
with xyi ^ K. Thus the procedure returns the element yi with xyi ^ K (for a particular 
value of i) if and only if Fq fl ■ ■ ■ fl fl Tj = Tj occurs, and 

Prob(T,) = eo(l - Po)((l - Po)(l - eo))'- 

It follows that the procedure returns an element y & L with xy ^ K ii and only if Tj 
occurs for some i = 0,...,A^ — 1, and the probability of this is 

V^^ n v+in V n l-(l-po)^(l-eo)^ (1 -Po)eo 

> Co 1 - Pq) ^ 1 - eo = Co 1 - Pq)— J- -7- ^ ^ , 

^ 1 - (1 -po)(l -eo) Po 

since 1 — (1 — po)(l — eo) = Po + (1 — Po)eo ^ Po- Finally, the procedure returns Fail if and 
only if the event TonTin- ■ ■nTAr__i occurs and the probability of this is (1— po)^(l — co)^- 

We derive the required estimates of these probabilities as follows. Note that, since 
p ^ Po and ^ Co ^ e, we have 



Po 



ip,' - l)eo ^ ip-' - l)e 



and this is if e = 0, and is e/2 otherwise. Hence, the probability that the procedure 
returns an element y ^ L, with Hy C H and xy ^ K, is if IsMember is deterministic, 
and is at most e/2 otherwise. Similarly, the probability that the procedure returns Fail 
is 

il-pofil-eof^il-pf^'^, 

by the definition of A^, where 5 = 1 if IsMember is deterministic, and 6 = 2 otherwise. 
Thus {Go, H, K, BasicSift) satisfies the basic sift condition in G. 

Finally we estimate the cost. For each run of the repeat loop, first we select a random 
element of L at a cost of at most ^. Then we perform a group operation to compute xy 
and we run IsMember(x?/, e) at a cost of at most q + z^(e), where e = if IsMember 
is deterministic, and e = ep/{2{l — p)) otherwise. The number of runs of the loop is at 
most and, by Lemma N is 0{\og{e^^)p^^). Thus the upper bound for the cost is 
proved. (Note that, for e < 1/2 we have that ep/{2{l — p)) < 1/2 also.) | 
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As already explained before Theorem 15 .Hf we often work with sifting triples {H, K, L) 
in which L is a subgroup of Gq. Usually, there will be another subgroup L' < L, which is 
used to define K and we have KL' C K. In this situation the following concept applies. 

Definition 5.4. Suppose that G is a finite group and that L, L' are subgroups of G. 
A non-empty subset S* of L is said to be left L' -uniform if 5* has the same number of 
elements in each of the left L'-cosets in L. In other words, 15* fl ^L'\ is constant for all 

A left L'-uniform subset in L must contain a left transversal for L' in L. Notice that 
L is left {IcI-uniform, and more generally, if L' is a subgroup, then any left transversal 
for L' in L is left L'-uniform. As will become clear in the next lemma, L'-uniform sets 5* 
have 'nice' properties with respect to the calculation of probabilities. In certain cases we 
need to consider sifting triples (if, K, S) in which S* is a left L'-uniform subset in some 
subgroup L for which (if, L) is also a sifting triple. We show that in such cases the 
sifting parameter p{H, K, S) is independent of the subgroup L' and the left L'-uniform 
subset S, and depends only on the subgroup L. 

Lemma 5.5. Let {H, K, L) he a sifting triple in which L is a subgroup, let L' he a subgroup 
of L with KL' C K, and let S he a left L'-uniform subset of L. Then {H,K,S) is also a 
sifting triple and p{H, K, S) = p{H, K, L) . 

Proof. Since HL C H and S C L, it follows that HS C H. Let h E H. We shall 
show that \hSnK\/\S\ = \hLnK\/\L\. The result will then follow. By ©, /iL n LT ^ 0. 
Note that, since L' is a subgroup of L, and since S is left L'-uniform, it follows that 
L = SL', and LL' = L. In addition, we have KL' = K. Thus Lemma 13.31 implies that 
{hL n K)L' = HL n i^, and in particular, HL fl is a union of r left L'-cosets, for some 
r > 0. Each of these cosets is contained in hL = hSL' and hence is of the form hsL' for 
some s E S. Thus hLn K = |JI=i hsiL' for some si, . . . , Sr E S. 

Further, since S is left L'-uniform, the size q = \siL' r\S\ is independent of i. Moreover, 
for each i ^ r, hsiL' fl hS = h{siL' fl 5*), and since hS C hL it follows that 

r r 

hSnK = {hLnK)nhS = \J{hsiL' nhS) = [j h{siL' n S), 

i=l 1=1 

and therefore \hS Ci K\ = rq. On the other hand, hL (1 K = [Jl^ihsiL' has size r\L'\. 
Since S has exactly q elements in each of the left L'-cosets in L, we have 15*1 = q\L : L'|, 
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and hence 

\hLnK\ _ r\L'\ _ rq _ \hS H K\ 

\L\ ~^~\S\~ \S\ 
proving the claim. I 

5.2. A BasicSift algorithm using a stored transversal. 

We now turn to a second general approach to designing a 4-tuple that satisfies the 
basic sift condition. This algorithm is defined for the case when we have a sifting triple 
(if, L) and a subgroup L' ^ L as in Lemma f5. 51 Unlike Algorithm |2l where we choose 
elements of L at random, Algorithm El deterministically tests every element of a complete 
set S of left coset representatives calculated beforehand. Thereby we turn the random 
search above into a deterministic exhaustive search. As will be explained below, this can 
reduce the expected value of the runtime significantly. 

We use Algorithm 121 when the index of V in L, and thus the size of 5, is small enough 
to allow S to be stored completely. We still allow the use of randomised or deterministic 
IsMember methods. In the latter case, the whole basic sift procedure is deterministic. 

We would like to draw attention to a little trick we use to simplify the analysis of the 
error probability of Algorithm IHl We artificially introduce a randomly chosen order in 
which the coset representatives are tried. This makes the analysis less dependent on the 
input group element. 

Theorem 5.6. Suppose that (Gq? -f^? IsMember) satisfies the membership test con- 
dition in a group G. Assume further that L is a subgroup of Gq, such that {H, K, L) 
is a sifting triple, that L' < L with KL' = K, and that S = {si,...,Sk} is a left 
transversal of L' in L. If, for any T C 5*, RandomElement(T) returns uniformly 
distributed, independent random elements of T , and BasicSift is Algorithm\^ then the 
4-tuple {Gq, H, K, BasicSift) satisfies the basic sift condition in G. 

The cost of executing BasicSiftCosetReps(-, £:) is less than k- {^s + Q + '^(e)) where 
C,s is an upper bound for the cost of selecting a random element from a subset of S , g 
and v{e) are upper bounds for the costs of a group operation in G, and one run of the 
procedure IsMember(-, e), respectively. Here e = z/ IsMember is deterministic, and 
e = min {e{n + 1)/(A; — n), 1/3} otherwise, where n = minh^H \hS fl K\. 

Proof. We remark first, that for every g E H there is an element / G L such that gl E K 
by hypothesis Q. As 5 is a left transversal for L' in L, there are s E S and /' G V such 
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Algorithm El BasicSiftCosetReps 
/*See Theorem 15 . 61 for notation */ 

Input: {g,s) where g E G, and ^ £ < 1/2; 

/* e = if and only if IsMember is deterministic */ 

Output: y, where either y = FAIL, or y E S; 

if IsMember is deterministic 

min I e ■ — , - I otherwise, where k = \S\, n = minheH \hS H K\ 



k — n' 3 
setT = S; 

for i = 1,2, . . . , k do 

set y = RandomElement(T); 

if IsMember {gy, e) then 

return y 

end 

set T = T\{yy, 
end 

/* we only reach this stage ii g ^ H, because otherwise one of the 

IsMember tests must have returned TRUE */ 
return FAIL 



Algorithm 3: A BasicSift algorithm using a left transversal of L' in L 

that / = si'. Now gsl' G K, and so gs G KL' = K. Therefore, if g E H, then AlgorithmEl 
cannot return FAIL, as the IsMember test is one-sided Monte Carlo. Also, this argument 
proves all statements in the theorem in the case where IsMember is deterministic. 

Thus from now on we will assume that IsMember is not deterministic, and therefore 
that < e < 1/2, and hence e is non-zero. 

As HL = H, the set if is a union of left L-cosets, and, a fortiori, also a union of 
left L'-cosets. Analogously, KL' = K means that i^' is a union of left L'-cosets, and, of 
course, so is gL fl K. For any given g, the algorithm looks for a random element y in 
S G L such that gy G K; in other words, it searches the coset gL for elements of K. 
Thus, the number of elements s G S" with gs E K is equal to the number of left L'-cosets 
contained in gL fl K. Let g E H. As, by Lemma 1^31 p{H,K,S) = p{H, K, L), and 
\gL n K\/\L\ = \gL n K\/{k\L'\) we obtain that 

\gS nK\ = ^ |5| min = kpiH, K, S) = kp{H, K, L). 
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Let E denote the event "the procedure returns y E S with gy ^ K" . To check the basic 
sift condition for Algorithm El in the case of a randomised IsMember test, we have to 
show that Prob(i? \ g e H) ^ e. 

Suppose now that g E H. For i = 1, k, let Ei denote the event: "the i-th execution 
of the procedure RandomElement occurs" ; let yi denote the element y returned by the 
z-th execution of the procedure RandomElement, and let Zi denote the result returned 
by the call to IsMEMBER((yf?/j, e) (for steps i that do not happen, yi and Zi are undefined). 

Then E^ is the disjoint union of the following three events: 

Ki : Ei and gyi e K; 

Fi : Ei and gyi ^ K and Zi = False; 

Tj : Ei and gyi ^ K and Zi = TRUE. 

Note that Ei occurs if and only if, for each j < i, the event Ej occurred and Zj = False, 
that is to say, Ei = FiCi- ■ Fi^i. Similarly, given g E H, the event E occurs if and only 
if, for some i, each of Ei, . . . ,Ei occurs, gy^ ^ K, and Zi = True. Thus, given g E H, the 
event E occurs if and only if , Fi fl ■ ■ ■ fl Fi_i (iTi = Ti occurs for some i with 1 ^ i ^ k. 

Since in step i we choose yi only among those coset representatives that have not 
been tried before and we only reach step i if gyj ^ K for 1 ^ j < i, the probability 
Proh{gyi ^ K \ Ei) is not independent of i. Namely, 

Proh{gyi i K \Ei) = {k + l-i- ng)/{k + 1 - t) 

where Ug = \gS Ci K\, as in step i there are k + 1 — i coset representatives in the set T of 
which k + 1 — i — Hg do not multiply g into K. 

It is easy to see that 

Prob(Fi I Ei) = Prob{gyi ^ K \ Ei) ■ Proh{zi = False \ gyi ^ K and Ei) 

and so 

Prob(F, I Ei) ^ 



k + 1 — i — Hg 



Similarly we have 



k+1 



k + 1 — i — Hg 



As in the proof of Theorem 15.31 Algorithm El finishes in step i, if it has not finished in 
an earher step, and Ki or Tj occurs. In this situation, if Ki occurs, then the procedure 
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will return yi with gyi G which is a correct result. Therefore, an error produced by 
step i occurs exactly in the event Tj, and 

Moreover, no error can possibly occur in step i for i > k — Ug. 

Therefore, for an input {g, e) with g E H, the total probability that Algorithm 01 returns 
an element y E S with gy ^ K is 

^ ^ ' k +1 - j - Ug 



5^ ( n k + l-j 

i=i \j=i ^ •' 



■ e. 



Note that, for i = 1, . . . , A; — n^. 



n 



k + l—j — Ug {k — ng){k — Ug — 1) ■ ■ ■ {k — Hg — i + 1) {k — i)\ {k — ng)\ 



.^^ k + l-j k{k-l)---{k-i + l) k\ {k - i - ng)\' 

Hence 

(^TT ^^^~-^~^^ ^ - V"" {k-i)\ {k - ng)! _ Z k\~^ ^s;^fk-C 

We can simplify the sum further by repeated use of the well known summation formula 
for binomial coefficients: 

( a \ /a + 1^ 



bj \b-lj V b 

The last summand (with i = k — Ug) is equal to (^®) = 1 = (""^J) • In the latter form it 
can be added to the second last summand resulting in (^''^^) • This can be repeated until 
the first summand, thereby proving that 

f fk — i\ / k 

\ Ug ) ~ \ng + l 

This, however, implies that the total probability of an error is 

k\ ^ f \ ^g^- ' (k ~ ^gV- ^' k — Ug 

^rig) [rig + lj ^~ k\ ' {ng + l)\-{k-ng-l)\'^~ Hg + l'^' 

Thus, as 77, ^ rig, for an arbitrary element g E H, the error probability is bounded by 

k — n 

T-e^e. 

n + 1 
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As for the cost, the loop terminates at the latest after k steps, each of which has a 
random element selection from T, one group multiplication for computing gt/i, and one 
call to IsMember. i 

Our hypotheses in Theorem 15.61 imply that S is L'-uniform. However, since we want 
to store S completely, there is no point in choosing left L'-uniform sets with two or more 
elements in each left L'-coset of L. 

5.3. Comments on and comparison of Algorithms [2] and |^ 

To compare Algorithms |21 and 121 assume that L is a subgroup and we want to sift 
from a set H with HL = H down to a set K with KL' = K, and that L' < L with 
[L : L'] = k. Then we can either use Algorithm El or use Algorithm El with S being a left 
transversal of L' in L. Recall that p{H, K, L) = p{H, K, S) = p, say (see Lemma [5. 5|) . Let 
k denote the index \L : L'\, and let n denote min/ig// \hS H K\ = pk. In the second case 
we have to calculate and store 5* beforehand. In Algorithm El once we compute that a 
random element y does not multiply g into K, y cannot be selected again by a subsequent 
call of RandomElement. Therefore we expect that Algorithm El performs better than 
Algorithm 121 in this situation. 

In Algorithm |21 the bound for the error probability in all calls of the IsMember test 
is ei = ep/{2 — 2p) = en/{2{k — n)) (recall that p = n/k), whereas in Algorithm El the 
bound for the error probability for the IsMember calls is 62 = e{n + l)/{k — n) (at least 
when e is not too big so that 62 is not defined to be 1/3), which is a little bit more than 
2ei. Thus, due to the deterministic nature of the choice of y in Algorithm El we can afford 
bigger error bounds for the IsMember tests. Further, the expected number of steps in 
Algorithm 121 is 1/p (geometric distribution), which is k/n as p = n/k. The expected 
number of steps in Algorithm El is [k + l)/(^ + 1). 

These calculations suggest that, whenever it is possible to store all elements of S", 
Algorithm El should be preferred over Algorithm |21 

If the IsMember test is deterministic and happens to work not only for elements of H, 
but also for arbitrary elements of HS, then one can dispense with the hypothesis HS C H 
altogether and apply AlgorithmElverbatim for any set S ^ G satisfying hSCiK 7^ for all 
h E H. In this case Algorithm El will be a fully deterministic algorithm with guaranteed 
finite runtime of at most \S\ steps. 
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6. BasicSift: with special subsets H and K 



In this section we describe a rather general situation where the conditions in Q are 
guaranteed to hold. The conditions on the subsets if, K of the finite group G are as 
follows: 

(4) H = CL = C'L, K = C'L', where L' <L^G, and C, C C G, with G, G' ^ 0. 

Under these conditions we derive also a new expression for the sifting parameter 
p{H, K, L) required for Algorithm |21 and Theorem 15. HI 

Proposition 6.1. Let G, L, L' , G, G' , H, and K he as above so that (j^ holds. Then 
K ^ H , and if H ^ K then {H, K, L) is a sifting triple. Further, 

pyH, K, L) = mm — = mm 



yc^y \L\ yey \L\ 

where y is a set of representatives in G' for the left L-cosets contained in H . 

Proof Since L' C L we have G'L' C G'L = GL, that is, K C H. Note that, since 
1 G L', we have G' C K &nd G C H. 

Suppose now that K ^ H . Since H = GL and L is a subgroup, it follows that HL C H. 
Let y E H. To complete the proof of 0, we need to show that yL (1 K is non-empty. 
Since y (z H and H = GL = G'L we have y = ck where c G C", k E L, and hence c = yk^^ 
and ceyLn G' . As G' C K, we obtain ceyLnK. Thus yLnK 

Now it only remains to show that the assertion in the displayed line of the proposition 
is valid. It follows from (g)) that, for y e H, yL n K = yL n {G'L') = {yL n G')L' , by 
Dedekind's modular law (Lemma 13. 3|) . Hence, for all y E H, we have 

\yLnK\ _ \iyLnG')L'\ 
\L\ \L\ 

Suppose that y E H and y = ck where c G C" and k E L. Then yL (1 K = cL (1 K and 
so the minimum value of \yL fl over all y E H is equal to the minimum value of 

\cL n -ft'l/livl over all c E y. The displayed assertion follows. I 



We will apply Algorithm |2l with H, as in Q in the following context: Go is a 
subgroup of a finite group G, the group Gq has a descending subgroup chain 

(5) Go = ^0 > ^1 > ■ ■• > ^fc = {1}, 
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and also has a sequence of non-empty subsets 

(6) Cq = {l},Ci, . . . ,Ck such that Cj+iLj = CjLj for all i < k. 

Thus (jH) holds for {H, K) = {CiLi, Cj+iLj+i) for each i < k. By Proposition 16. H we have 
a descending chain 

(7) Go = CoLq ^ CiLi ^ ■ ■ ■ ^ CkLk = Ck 

and by Proposition 16.11 Algorithm El applies to each of the pairs (CjLj, Cj+iLj+i) such 
that CiLi 7^ Cj+i-Lj+i (0 ^ i < k). Thus if, for i = 0, . . . , k — 1, the 4-tuple 
(Go, CjLj, Cj+iLj_|_i, IsMEMBERj) satisfies the membership test condition in G for some 
algorithm IsMEMBERj, and if we have an algorithm BasicSift^ such that the 4-tuple 
(Go, Ck, {1}, BASlcSlFTfc) satisfies the basic sift condition in G, then we may use the pro- 
cedures BASlcSlFTj in Algorithm H If \Ck\ is small, BasicSift^ may simply test each 
member of Ck for equality with the input element (if 1 ^ Ck), or its inverse (if 1 G Ck)- 
The next two sections offer some possibilities for these procedures that have been effective 
for computing with some of the sporadic simple groups. 

7. IsMember using conjugates 

In this section we apply the theory developed in Sections El and IHl especially in SectionlHl 
to sift an element down a subgroup chain such as © making use of an auxiliary subset 
sequence. This application uses conjugates of an element a with the following property: 

a G Lk-i \ {1} such that, for each i = 0, . . . , k — 2, 

each Lj-conjugacy class in a'^° n Lj intersects Lj+i non-trivially. 

We construct an associated subset sequence © recursively as follows. The first sub- 
set is Go = Cgo{(^)% where % = {!}. Consider a typical link in the chain say 
Li > Lj+i for i ^ k — 2, and suppose that we have already constructed the subset Gj 
corresponding to Li, and Gj is of the form Gj = CGo{a)Ti, where {a^ \ y G %} is a set 
of Lj-conjugacy class representatives in a'^'^ fl Lj. Then a'^° fl Lj+i = Uj/gt, ('^^'^' -^i+i); 
and by condition (jSl), each a^^' fl Lj+i is non-empty. For each y E %, choose U{y) C Lj 
such that {a^^\u G U{y)} is a set of representatives for the Lj+i-conjugacy classes in 
QyLi pi Define 7^+i = Uj/gt^ V^hj)^ ^"^^ define the subset Gj+i corresponding to Lj+i 
by Gj+i = Cgo{.'^)%+i- In addition set Ck = {!}. 

We prove that ^ holds, and we also derive two expressions for the sifting parameter 
p{H, K, L) required for Algorithm |21 and Theorem 15.31 The first expression shows that 
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p{H, K, L) is a ratio of the sizes of two special subsets of conjugates of the element a, 
while the second expression provides a means of computing p{H, K, L) from the orders of 
various centraliser subgroups. 

Proposition 7.1. Suppose that G, Gq, a, L^, Lj+i, Ci, Cj+i, %, and the lA{x), 

for X E %, are as at the beginning of this section, and set H = CiLi, K = Cj+iLj+i, 
L = Li, L' = Li+i, C = Ci and C' = Cj+i. Then Ti+iLj = T^L, and holds, and if also 
H K, then {H, K, L) is a sifting triple. Further, 

p(if,K,L)=min^^^^l^l^ = — ^minjlCila^')! V ,^ ] ,, |. 

' ' ' ' um(x) ' ^ ^' 

Proof. By the definition of 7^+1, we have that T^+i C T^Lj. Also, since (jH)) holds, for 
each X & % there exists k & Li such that xk G T^+i. Thus % C T^+iLj, and so, since Lj is 
a subgroup, we have 

%.Li C (7i-|.iLj)Lj = Ti^iLi C (TiLi)Li = TlLi. 

Hence %+iLi = TiLi. To prove (jD) it is sufficient to prove that H = C'L = Ci+iLi. From 
the definition of H we have 

H = CiLi = CGo{a)TiLi = CGo(ct)^+i-^j = Ci+iLi = C'L. 

Thus (jH) holds. Moreover, if H ^ K, then, by Proposition 16. ![ then {H, K, L) is a sifting 
triple. 

It remains to show that the value of the sifting parameter p{H, K, L) is as claimed. 
Suppose that h & H, and that h = cxk with c G Cgo(o), x ^ %, and k & Li. We claim 
that \hLi n K\ = \{xLi fl As A; G Li, we certainly have hLi (1 K = cxLi fl i^. 

An easy calculation shows that cxLi fl CGo{ci)%+iLi+i = c{xLi fl CGo(a)7i+iLj+i), and 
so |cxLj n Cj+i-Lj+il = |a;Lj fl Cj+iLj+i|. Therefore |/iLj ("1/^1 = |a;Lj fl K\. Finally, by 
Dedekind's modular law f Lemma 13.31 which applies since C xLi), we obtain 

xLi (iK = xLid Ci+iLi+i = {xLi fl Ci+i)Li+i 

proving our claim. 

Next we show that xLi fl Cj+i = xCL^{a^)U{x), with U{x) as defined before Propo- 
sition 17.11 (recall that x G 7^). Let y G xLi fl Cj+i, so that y = xk for some k E Li 
and x/c G Cj+i. Since Cj+i = CGo{a)Ti+i, it follows that a""^ G a^'+i fl a^'^'. By the 
definition of T^+i, there is some u G U{x) such that a^'^ = a^", and so G CL.(a^)ti. 
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Therefore xk G xC^. (a^)M, and we obtain that y = xk E xCL^{a^)U{x). Conversely con- 
sider y = xcu, where c G Ci^(a^) and u G U{x). As U{x) C Li, we have y = xcu G xLj. 
Further, a^'^" = a^'' G a^"'^'^^ C a-^'+i. Thus y = xcu G CGo(a)^+i = C'i+i- Therefore our 
claim is proved. 

Putting the calculations in the last two paragraphs together, we have shown, for 
h = cxk with c G CGo(a), x G 7^, and A; G Lj, that fl = |xCL-(a^)ZY(x)Lj+i|. 
Now we calculate the size of xCL-(a^')W(x)Lj+i. We first observe that xCL-(a^')W(x)Lj+i 
is a union of left Lj+i-cosets, and hence, it suffices to compute the number of such 
cosets contained in xCL.{a^)U{x)Li+i. If ui and U2 are distinct elements ofU{x), then 
^xCL^{a-)mL,+, ^ ^xniLi+i ^xC^^ (a-)«2L,+i ^ a^«2ii+i^ ^ud SO it follows from the defini- 
tion o{U{x) that a^CLi{a'')uiLi+^ ^xCLiia'')u2Li+i distiuct conjugacy classes in Lj+i. 
Thus a;CL-(a^')MiLj+i and xC LXa^)u2Li^i are disjoint. Therefore xCL-(a^)W(x)Lj+i is 
the disjoint union, over all u G U{x), of xCL.{a^)uLi+i. Let Ci,C2 G CL-{a^). Then 
xciuLi^i = xc2uLi^i if and only if ^Ci G uLi^iu^^. Thus the number of left Li+i- 
cosets in xCi,(a^)MLi+i is |CL^(a'')|/|C„L,+i«-i(a^)| = |CL,(a^)|/|CL,+i(a^")|. Hence, the 
definition of U{x) implies that 

IhLiHKl = \xCLXa'')U{x)Li+i\ = \xCL,ia'')uLi+i\ 



Thus 



and also 



\hLi n K\ 












^ n L,+i 




\L^\ 





















\hLinK\ _ \CLXan\ J2 



\U \Li:Li+i\ ^ ICl.,,, (a^")| 

Therefore we obtain that the displayed assertions for the sifting parameter also hold. 



The main benefit of working with conjugates is that, using the notation of Proposi- 
tion membership of x in if or is equivalent to membership of in Lj or Lj+i, 
respectively; see Lemma 17.21 It is often easier to test whether a random conjugate of 
a known element lies in a subgroup than to test membership of a random element in 
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a subgroup or subset. This is true in particular if we have detailed information about 
subgroups of Li or L^+i generated by two a-conjugates. 

Algorithm m IsMemberConjugates 

/*see Lemmas 17 . 21 and 17 . 31 for notation */ 

Input: {x, e) where x G G, and e = if IsMember is deterministic, and 
< e < 1/2 otherwise; 
Output: True or False; 
return IsMEMBER(a^, e) 

Algorithm 4: An IsMember algorithm for subsets 

Lemma 7.2. Let G, Gq, a, L^, Lj+i, Ci, Cj+i, %, 7^+i, he as in Proposition 17. IL set 
H = CiLi and K = Ci+iL^+i, and let x E G. 

(a) The element x E H if and only if G L^, and similarly, x E K if and only if 

G Li+i. 

(b) If {Go, Li, Lj+i, IsMember) satisfies the membership test condition in G, for some 
algorithm IsMember, then so does {Gq, H, K, IsMemberConjugates) where 
the algorithm IsMemberConjugates is given by Algorithm^ 

Proof. It follows from the definition of % that a-^'^* = 0"-^° fl Li. The first assertion in 
part (a) is then obvious, and the second follows similarly. 

To prove part (b), recall the second assertion of part (a), namely that x G -ft' if and 
only if G Lj+i. If this condition holds then the membership test condition (see Defi- 
nition EH} on IsMember implies that IsMEMBER(a^, e) = True and hence we obtain 
IsMEMBERCoNJUGATEs(a;, e) = True. Also, by part {&), x E H \ K li and only if 

E Li\ Li+i. By the membership test condition on IsMember we have 

Prob(output of IsMember is True \x e H\K) ^ e 
and hence by the 'definition' of IsMemberConjugates in Algorithm IH 

Prob(output of IsMemberConjugates is True | a"^ g Lj \ Lj+i) ^ e. 
Thus the membership test condition holds for {Gq, H, K, IsMemberConjugates) in G. 
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By Lemma 17.2^ we can use IsMEMBERCoNJUGATEs(a^^, e) to replace the algorithm 
IsMEMBER(a;?/, e) in the BasicSift Algorithm El Some exphcit instances of IsMember 
will be discussed in SectionHUl We discuss here one special case, namely where Lj+i = (a). 
Here it turns out that Lemma 17^ applies with K = iVco ((a)). Before proving this assertion 
in Lemma 17.31 below, we make a few comments about the context in which it will arise. 
(This context below occurs in several applications to sporadic simple groups.) 

If condition (jH)) holds for a subgroup chain (jSl), then we construct, as at the beginning 
of this section, subsets % and Ci = CGo(a)7i, for each i, such that (jHl) and ((Zj) both hold. 
Note that a'^° fl Lj = a^^^^ and that %Li = %^iLi for each z; see Proposition 17.11 Also 
(a) ^ Lk_i ^ Lj, for all i ^ A; — 1. This means that fl Lj contains a, and hence 
contains Thus % contains an element of CGo{a)Li. In particular, if Lj ^ CGo(a), 
then 7j contains an element of Cgo{o)- (Note, however, that this element of % need not 
be equal to 1.) 

It is tempting to consider refining the chain ^ by inserting the subgroup (a) to obtain 
a new chain with second last subgroup equal to (a). However condition (jH)) may fail to 
hold for this new chain. For example if the original L,fc_i = Z2 x Z2 then a is an involution, 
and \Tk-i\ = 3, but only one of the three Lfc_i-conjugacy classes in a^" fl L^-i meets (a) 
non-trivially. Nevertheless, the situation Lk-i = (a) arises often in applications, so we 
end this section by extending the framework to include this case. 

Lemma 7.3. Suppose that G, Gq, a, Lj, Lj+i, Ci, Cj+i, %, are as in Proposition \7.1[ 
that H = CiLi, K = Cj+iLj+i, and that Lj+i = (a). Then K = Cj+i = Ncoda)) and 

Moreover, if {G 0, Li, (a), IsMember) satisfies the membership test condition in G, for 
some algorithm IsMember, then so does (Gq, -f^, ((«)), IsMemberConjugates) 
where the algorithm IsMemberConjugates is given by Algorithm^ 

Proof. By the definition of 7j+i and Lj+i 

However, Lj+i centralises a^'^o^^'^)) and so a-^'+i = a^'^o^'I'^)), which implies that 

Ci+i = GGo{a)Ti+i = NGoiia)). 
Moreover, since Lj+i = (a) ^ GGo{a) C NGa{{o)) = Cj+i, we obtain that K = Cj+i. 



28 SOPHIE AMBROSE, MAX NEUNHOFFER, CHERYL E. PRAEGER, AND CSABA SCHNEIDER 

Since Lj+i is abelian, \Ti+i\ = \a'-^° H (a)|, and since Ncgiia)) acts on the set of v^daj) 
generators of (a), with kernel CGoicL) and with a*^" fl Lj+i as one of the orbits, it follows 
that |a^" nLi+i| = |a^Go{W)| = \NGoi{a)) : CGo(a)|- The final assertion is part (b) of 
Lemma 17.21 I 

8. IsMEMBER using element ORDERS 

In this section we present a version of BasicSift that has proved useful especially 
for the first link in a chain such as (0) for several sporadic simple groups G. It requires 
the relevant subsets to be subgroups. We give some applications that use this version in 
Section Uni 

As in Section!?! we will describe a version of the procedure IsMember that can be used 
in the BasicSift Algorithms !2! and !ni Let G and Go be finite groups such that Go ^ G, 
and suppose that H and K are subgroups of Go, with K < H. Therefore condition © 
automatically holds with L = H . An extra requirement is that for all subgroups M such 
that K < M ^ H , a reasonable proportion of the elements of M have orders that do not 
occur as orders of elements in K. We define 

/ = {n G M I some M with K < M ^ H has elements of order n but K does not}. 

Assume that / 7^ and let po be a number such that for all M with K < M ^ H the 
proportion of the elements of M with orders in / is at least po. We suppose that po > 0. 
As usual we assume that random selections in the procedure are made independently and 
uniformly from the relevant subgroups. Moreover, we emphasise that this is a 'black-box 
algorithm' , and in particular it is not easy to find the order of an element efficiently. 
To test if an element g has a particular order n E I, we check first that g"' = 1 which 
implies that the order of g divides n, and then, for each maximal proper divisor d of n, 
we test that g'^ 1. We define / to be the number of integers that are either equal to or 
a maximal proper divisor of an element of /. Then for (7 G Go we can test if the order of 
g lies in I by examining / powers of g. 

Proposition 8.1. Suppose that G, Go, H, K, I, I, and po are as above. Also suppose 
that, for any M satisfying K ^ M ^ H , RandomElement(M) returns uniformly 
distributed, independent random elements of M. Then (Go, H, K, IsMember) satisfies 
the membership test condition in G, where IsMember is Algorithm{^ Further, the cost 
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Algorithm El IsMemberOrders 

/*See Proposition 18. II for notation */ 

Input: (y, e) where y E G, and < e < 1/2; 

Output: True or False; 

setiV= riog(e-i)/log((l-po)-')l; 

set n = 0; 

repeat 

set h = RANDOMELEMENT((_ft', y)); 
if the order of h is in I then 

return False 
end 

set n := n + 1 
until n N] 

return TRUE 

Algorithm 5: The algorithm IsMemberOrders 

of running IsMemberOrders(-, e) is 

O ( log(e-^) ■ po ' + log(max /) • / ■ g)) 

where max/ is the maximum integer in I, and q, ^ are upper hounds for the costs of 
a group operation in G, and making a random selection from any subgroup of the form 
{K,g) (g eG), respectively. 

Remark: In Algorithm El we have to make a random selection from a possibly different 
group {K, y) for every step of the loop. Because the known algorithms for producing 
(pseudo-) random elements in groups all involve an initialisation phase, the constant ^ 
here could be much bigger than the constant p or even the corresponding constant ^ in 
other algorithms of this paper. 

Proof. li y E K, then by one of the conditions on the input, no element of {K, y) = K 
has order in J, and hence the output is True. Now suppose that y E H \ K so that 
K < {K, y) ^ H . By assumption, the proportion of elements of {K., y) with order in / is 
at least po- Thus, after independent random selections from (A', y), the probability that 
we do not find at least one element with order in / is at most (1 — po)^ . The definition 
of A^ implies that (1 — po)^ ^ e. Thus the membership test condition is satisfied. 
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Now we estimate the cost. For each random h G {K, y), we compute /i" for each n that 
is either equal to or a maximal divisor of an element of /. We do this by first computing 
h'^,h^, . . . , h?"" , where 2"^ ^ max/ < 2™+^. We use these elements to compute /;,", for 
each relevant n, with at most ml group multiplications. Thus the cost of computing all 
of the relevant /i" is at most itlIq = 0(log(max/)/^). The number of random h to be 
processed is at most A^, which, by Lemma is 0(log(e~^) -Pq^). Thus an upper bound 
for the cost is O ( log(e~^) ■ p^^ + log(max I) ■ I ■ g)). I 

In most cases when Algorithm El is used, we have that K is maximal in H, and so the 
only possibility for M in Proposition 18.11 is K or H. Also it is often true that / consists 
entirely of primes, and then I = \I\ + 1. 

Corollary 8.2. Use the notation of Proposition and suppose that u = \H : K\. Let 
BasicSift he Algorithm{^ with Algorithm{^ as IsMember. Then the cost of executing 
BasicSift(-, £:) with < e < 1/2 is 

O (log(.-') ■u(i + ,+ ^os(e-^Hlo,u ^ J ^j^j ^| _ 

where ^ is the cost of selecting a random element of H , C,' is an upper bound for the cost 
of selecting a random element from a subgroup of the form {K, x) , where x E H , and g is 
the cost of a group operation in G. 

Proof. Using the notation of Theorem 15.31 since H = L > K, we have p = \K\/\H\, 
which is u~^. Thus, by Theorem 15.31 and Proposition 18.11 the cost of this version of 
BasicSift(-,£:) is 

0(log(£-^) ■u{^ + g + log(e-^)po ^ + log(max J) ■ I ■ g))), 

where e = eu^^/2{l — u^^). Now 

log(e-^) = log(e"^) + log(2) + log(M - 1) = 0(log(e"^) + logw), 

and the assertion follows. I 

9. The Higman-Sims group HS revisited 

In Section 121 we presented a simple algorithm to write an element of HS as a word in 
a given generating set. This algorithm served as an example for the theory developed 
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in this paper. We now examine how the steps of the HS algorithm in Section El fit into 
the theoretical framework presented in the subsequent sections. We use the notation of 
Section |21 

As in Section|21 G is a group isomorphic to HS, and we set Go = G. Let Li be a maximal 
subgroup of G isomorphic to U^{b).2. Then Li has a subgroup Z of order 16. We noted in 
SectionElthat the proportion of elements of order 11 or 15 in HS is 41/165, while Li does 
not contain any such element. Let IsMembeRi be Algorithm with / = {11,15} and 
Po = 41/165. Then, by Proposition 18.11 (G, G, Li, IsMembeRi) satisfies the membership 
test condition in G. Let Gi = Gc{o) where a E Z and \a\ = 8 as in Section |21 and 
let IsMemberConjugateSi be Algorithm El with IsMembeRi as IsMember. Then, 
by Lemma E21 (G, G, GiLi, IsMemberConjugateSi) also satisfies the membership test 
condition in G, and we use Algorithm |2l to obtain an algorithm BasicSifti such that 
(G, G, Gi-Li, BasicSifTi) satisfies the basic sift condition in G. 

In the next step we recall that La = 5^+^ : (8 : 2). We noted that L2 = A^g(^(5^+^)), 
and so it is easy to design a deterministic algorithm ISMEMBER2 such that the 4-tuple 
(G, Li, L2, ISMEMBER2) satisfies the membership test condition in G (just check whether 
a generator for Z(5^'^^) is mapped into Z(5^+^)). We set G2 = Gg{o)T2 as in Section IT^ 

Using Algorithm m we find an algorithm IsMemberConjugateS2, using ISMEMBER2 
as IsMember, such that (G, GiLi, G2L2, IsMemberConjugates2) also satisfies the 
membership test condition in G, and we use Algorithm|21to build an algorithm BASICS1FT2 
so that (G, Gi-Li, G2L2, BASICS1FT2) satisfies the basic sift condition in G. 

As L3 is a cyclic group of order 8 and G3 = Cg^o^T^ as in Section 12.31 it is easy to 
check membership in L3, and following the procedure explained above, it is easy to obtain 
an algorithm BASICS1FT3 such that (G, G2L2, G3L3, BASICS1FT3) satisfies the basic sift 
condition in G. In Section |21 we set G4 = Cg{o), and, using this fact, we can easily test 
membership in G4. Thus the 4-tuple (G, G3L3,G4, BASICS1FT4) can be constructed. 

Finally, it is possible to list all 16 elements of G4 and, via an exhaustive search, to 
construct an algorithm BASICS1FT5 such that (G, G4, {1}, BASICS1FT5) satisfies the basic 
sift condition in G. 

Algorithm in can be used with (G, G, GiLi, BasicSifti), (G, GiLi, G2L2, BASICS1FT2), 
(G,G2L2,G3L3, BASICS1FT3), (G, G3L3,G4, BASICS1FT4), and (G, G4, {1}, BASicSiFTg) 
to sift an element through the chain 

G D GiLi D G2L2 D G3L3 D G4 D {1}. 
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10. Application of the results to sporadic simple groups 

An important part of the research presented here is to find exphcitly a suitable subset 
chain and a BasicSift algorithm for each step in this chain for many sporadic simple 
groups. 

Note that all example chains in this section provide pure black-box algorithms. No par- 
ticular prior knowledge about the representations of the groups is used during the sifting. 
Of course, to construct the chains we made heavy use of lots of available information and 
especially of nice representations. 

In the implementations, all occurring group elements are expressed as straight line 
programs in terms of standard generators in the sense of |^| and |18j . 

One could improve the performance by using specially crafted IsMember tests relying 
on specific information about the given representation. Also, other methods will be better 
for certain representations. 

In this section we assume that G = Gq is one of the sporadic simple groups. For each 
group G a subset Si in the chain ((T)) will be a product Si = CG{a)%Li with suitable a, 
Ti, and Li. We also set Ci = GG{a)Ti and the sequence Ci, . . . , Ck-i will be referred to as 
a G -sequence. The ingredients a, Lj, % are in the tables below. In order to present the 
subset chains in the most compact form, we use the following notation. 

The a-column. If the function IsMemberConjugates is used to sift through this 
step of the subset chain, then this column specifies the conjugacy class of a used by 
IsMemberConjugates. The conjugacy class is given using the Atlas notation; see [7j. 
We can assume without loss of generality that a is contained in all subgroups Li where 
we need the hypothesis HLi^ 0. If the function IsMemberConjugates is not used 
in this step of the chain then a dash is displayed in the appropriate cell. 

The Cg (a) -column. This column contains information about the centralisers occur- 
ring in the C-sequence Ci, . . . , Gk-i- Note that the Gi satisfy the conditions in (jH)). 

The |7^|-column. Here we only specify the number of elements in %. In each of 
the examples, we set Tq = {1} and, for i ^ 0, the subset T^+i is constructed using the 
procedure at the beginning of Section [7| 

The Lj-column. In each table we list the subgroups Li, . . . ,Lk-i that are used to 
construct the subgroup chain (jSj); this chain will be referred to as the L-chain. Each such 
subgroup is specified as precisely as necessary to define the descending subset chain. For 
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example, in HS, the group Li is specified as f/3(5).2 (Atlas notation, see I7|), which 
means that any subgroup of G that is isomorphic to [/a (5). 2 can play the role of Li. 
Similarly, one may take L2 to be any subgroup of Li that is the semidirect product of an 
extraspecial group of order 125 and a 2-group, as explained in the corresponding cell of 
the table. 

The p-column. In this column we display the sifting parameter QLj, 
(see Definition 15.21 and Proposition 17. Ij) . 

The BASlcSlFT-column (BS). We describe the BasicSift algorithm that is used in 
a particular step of the subset chain. The letter R stands for BasicSiftRandom (see 
AlgorithmEl) and the letter C stands for BasicSiftCosetReps (see Algorithm EI). Note 
that in some cases Algorithm El is also used to try a certain set of group elements, such 
as the set % or its inverses. 

The IsMEMBER-column. In this column we describe, how we test membership in 
the subgroup Lj. If an a is specified in the a-column, then we first design an algorithm 
IsMember for the pair (Lj_i, Lj) using the parameters in the same cell of the table. Then 
we use Algorithm m to obtain a new algorithm IsMember for the pair (Cj_iLj_i, CjLj), 
and finally. Algorithm El yields a 4-tuple (G, Ci_iLj_i, CjLj, BasicSifTj) satisfying the 
basic sift condition in G. 

The membership test IsMember for the pair {Li^i, Li) is described using the following 
notation. 

(a) If a set / of element orders is specified. Algorithm El is used for the IsMember test 
for Li. In this case we also specify the probability to find an element of such an order 
in Li_i. 

(b) If, in the BASlcSlFT-column of the table, an Li is specified to be the centraliser or 
the normaliser of an element or a subgroup, then, using this fact, we build a deterministic 
algorithm to determine membership of Lj. 

(c) Finally, the symbol 1 in that column indicates that we use an exhaustive search 
to test equality in the subgroup Li. This method will be used in the special case when 
L^ = 1. 

Note that the symbol "1" may stand either for the trivial subgroup or for the identity 
element, but its meaning is always clear from the context. 
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The first example is in Table ^ which describes a subset chain for the sporadic simple 
Mathieu group Mu. In Table El we present another subset chain for Mu to demonstrate a 
new idea, namely that information gained during an IsMember test can be used further. 
Table 01 contains a subset chain for the sporadic simple Mathieu group M12. In Tabled 
we describe a subset chain for the sporadic simple Mathieu group M22- Table presents 
a subset chain for the sporadic simple Janko group J2, that uses only deterministic mem- 
bership tests. In contrast, Table El shows another chain for J2 with membership tests 
using element orders. 

We conclude this section with a larger example, in which we demonstrate yet another 
idea, namely that there may be "branches" in chains, leading to different behaviour of 
the algorithm under certain circumstances, that may occur during the calculation. See 
Table IHl for details and Note (i) to Table IHl for an explanation. 

We have implemented the generalised sifting algorithms using the subset chains de- 
scribed in the tables below for some of the sporadic simple groups. The implementations 
were written in the GAP 4 computational algebra system |.8^ and will be made available 
separately in the future. Information on the performance of our implementations can be 
found in Table ITUl and in the notes to that table. 

In practical implementations the sifting is carried out in several stages. In the first 
stage we sift our element into a smaller subgroup (usually a centraliser of an element), 
and then we start a new sifting procedure in that subgroup. We repeat this until we reach 
the trivial subgroup containing only the identity element. In our tables we indicate the 
boundary between different stages by a horizontal line. For instance in Table 1, we first 
sift our element into the subgroup 2.S4, and then carry out a new sifting procedure in 
2.54. 
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1 


1/11 


c 


1 



Table 2. A second chain for Mn using -^2(11) 



Mi2 a 


CG(a) 




Li 




P 


BS 


IsMember 




1 ae2A 


2 X ^5 


1 


Ms. Si 




1/33 


R 


Cg{2B) 




2 ae2A 


2 X ^5 


1 


\ClA^)\ = 


32 


1/3 


C 


Cl^{x) with = 


1 


3 a G 2A 


2 X ^5 


2 


\ClM\ = 


: 8 


1/2 


C 


Cii iy) with = 


1 


4 a e 2A 


2 X ^5 


1 


1 




1/2 


c 


Cg{2A) 




4 


















5 




1 


\NlM\ = 


40 


1/6 


c 


Nl^{z) with = 


1 


6 




1 


\Cl,{z)\ = 


10 


1/4 


c 


Cl^{z) with 2;^ = 


1 


7 




1 


1 




1/10 


c 


1 





Table 3. A chain for Mi 



Notes to Table [21 Let a be as in the table and select x G G. We want to write the 
element x as a word in a given nice generating set. Choose an element a' G llA fl Li 
such that [a, a'] 7^ 1 and let 2; G Li with (a')^ = a. Then Li has 12 Sylow 11-subgroups, 
namely (a) and ^(a')'*'^ ^ = 0, . . . , 10. For yi G G, a^'^^ G Li if and only if (a^^^) 
coincides with one of the Sylow 11-subgroups of Li. Further, such a Sylow subgroup is 
self-centralising in G. Thus the membership test a^'^^ G Li is carried out by checking 
whether [a^^^, a] = 1 or [a^^^, {a')""'] = 1 for some i G {0, . . . , 10}. 

The second step of the sifting can be made more efficient as follows. Assume that 
d^yi g jf [a^?/i^a] = 1 then a^'^^ G L2, and we can proceed to the third step of the 
sifting procedure. If [a^^\ {a'Y'] = 1 then, for 7/2 = cl^^~^z we have that a^^^^^ G L2. Thus, 
storing some information about the membership test in the first step, we can immediately 
select the sifting element 1/2 in the second step. 
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M22 


a 


Cg\ 


:«) 


1^1 




P 


BS 


IsMember 


1 


ae2A 


2^: 


^4 


1 




3/11 




J = {6,8,ll},po = 103/364 


2 


ae2A 


2^: 


54 


2 


2^: A, 


5/21 




/ = {7},po = 2/7 


3 


ae2A 


2^: 


54 


1 


1 


1/60 




6*0(0) see Note below 


3 










2^ : ^4 








4 








1 


2' 


1/24 


C 


Cg{x) with ^2 = 1 


5 








1 


1 


1/16 


C 


1 



Table 4. A chain for M22 





a 


CG(a) 


1^1 






BS 


IsMember 


1 


a e 


(a) 


2 


3.^6.22 


1/140 




Ng{?>A) = NciSociL,)) 


2 


a G 


(a) 


4 


3I+2 : 8 


1/5 


C 


Ng{3'+^) = iVG(Syl3(Li)) 


3 


a G 


(a) 


4 


8 


1/27 


c 


Ccia) = (a) 


4 


a G 


(a) 


1 


1 


1/4 


c 




4 








(a) 








5 






1 


1 


1/8 


c 


1 



Table 5. A chain for J2 with deterministic membership tests 



Notes to Table 131 Here the elements from 7^ = {1, ti} are tried together with elements 
from the group L2 to reach the centraliser of a. The probability 1/60 is the minimum of 
the probability for the two cases Ccia) ■ {1} ■ L2 and Ccia) ■ {ti} ■ L2. 



Notes to Table El 

(i) a*^ n (3.^6.2) ^ 3.^6, so we get an index 2 for free. 

(ii) The 3 of 3 x is in (^^(a), and hence C2-L2 = 2 x A5. 

In Sections El and El we already described the subgroup chain for the sporadic simple 
Higman-Sims group HS presented in Tabled We found this chain very useful to illustrate 
the ideas used in this paper. However, it turns out that one can design a much more 
efficient chain for HS whose details are presented in Table |H1 
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T 

J2 


a 




1 n" 








IsMember Note 


1 


a e 2A 


2_ : A 


1 


3.^6.22 


1 In 

1/6 


R 


Ng{^A) (1) 


2 


a e 2A 


2_ : As 


1 


3 X As 


1/3 


C I = 


{4, 12},po = 1/4 (n) 


3 


ae2A 


2L+^ : 


1 


A4 


1/5 


C I 


= {5},po = 2/5 


4 


ae2A 


2i+^ : As 


1 


4 


1/3 


c 




4 








2i+^ : As 








5 






1 


|Ls| = 192 


1/10 


c 


Cc,{2C) 


6 






1 


iLel = 32 


1/6 


c 


Nc^AA) 


7 






1 


IL7I = 16 


1/2 


c 


Cc,(4A) 


8 






1 


1 


1/16 


c 


1 


Table 6. Another chain for J2 


HS 


a 




%\ 


u 




BS 


IsMember 


1 


aeSB 


2x8 


1 


t/3(5).2 


1/88 


R I 


= {11, 15},po = 41/165 


2 


aeSB 


2x8 


2 


: (8 : 2) 


1/63 


R 




3 


aeSB 


2x8 


4 


(a) 


1/125 


R 


CM 


4 




2x8 


1 


1 


1/4 


C 


1 


4 








2x8 








5 






1 


1 


1/16 


c 


1 



Table 7. The chain for HS from sections El and El 



Notes to Table |E 

(i) The 2^ in A4 is equal to 6*^4(0.), therefore we can test membership of in A4 
efficiently. 

(ii) Here we reach Cg(o), since 2^ ^ Cg{(i)- 
Notes to Table 

(i) a*^ n Li = {a,a-^} U a^^i for some X G G. We store an element y ^ G with 
= a^^ and handle the cases = a and = separately, which allows us 
to jump directly to step 6 in these cases. Otherwise, we can work with a single 
conjugacy class a^^^ in Li. Of course, most of the time this latter case will occur, 
as a^^^ has 30800 elements. 
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HS 




a 


Caia) 


% 


Li 


P 


BS 


IsMember 


1 


a 


e 2A 


4.2^ : S5 


1 


M22 


1/5 


R 


7 = {10,12,15,20},po = 7/20 


2 


a 


e 2A 


4.2^ : S, 


1 


i^3(4) 


3/11 


R 


7 = {6, 8,11}, po = 103/264 


3 


a 


e 2A 


4.2^ : 


1 


Ae 


1/7 


R 


7 = {7},po = 2/7 


4 


a 


e 2A 


4.2^ : ,55 


1 


A5 


1/3 


C 


7 = {4},po = l/4 


5 


a 


e 2A 


4.2^ : S5 


1 


A4 


1/5 


C 


(i) 


6 


a 


e 2A 


4.2^ : ^5 


1 


22 


1/3 


c 


C Caia) (ii) 


6 










4.2^ : 55 








7 








1 


4.2^ : A5 


1/2 


c 


Cc(45) 


8 








1 


4.2^.22 


1/15 


c 


Nc{x^) for some x with = 1 


9 








1 


4.2^2 


1/2 


c 


Cc{x^) 


10 








1 


8x2 


1/8 


c 


Cc{x) 


11 








1 


1 


1/16 


c 


1 



Table 8. More efficient chain for HS 



Ly 


a 








P 


BS 


IsMember 


Note 


1 


a e3A 


S.McL 


3 


S.McL 


15401/9606125 


R 




(i) 


2 


a e3A 


S.McL 


1 


2.^8 


1/275 


R 


ClA'^A) 


(ii) 


3 


a e3A 


S.McL 


3 


3 X (2.A5) 


11/56 


R 


ClA^A) 


(iii) 


4 


a eSA 


S.McL 


3 


3 X (2.^3) 


1/10 


C 






5 


aE3A 


S.McL 


4 


3x2x3 


1/2 


C 


set 


(iv) 


5 








S.McL 










6 


a' e 3C 


32+^(2.^5) 


1 


2.^8 


1/275 


R 


C3,Mcl{2A) 


(v) 


7 


a' e 3C 


32+1(2.^5) 


3 


3 X (2.A) 


11/56 


R 






8 


a' e 3C 


32+l(2A) 


3 


3 x (2.53) 


1/10 


C 






9 


a' e 3C 


32+1(2.^5) 


4 


3x2x3 


1/2 


C 


set 


(vi) 


9 








32+^(2.^5) 










10 






1 


|Lio| = 1080 


1/81 


C 


Cc'{z) 


(vii) 


11 






1 


|Lii| = 90 


1/12 


C 


Ca{z') 


(viii) 


12 






1 


17^121 = 9 


1/10 


C 


SyULi,) 


(ix) 


13 






1 


1 


1/9 


C 


1 





Table 9. A chain for Ly 
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(ii) The centraliser of a 2A element in S.McL is 3 x (2.748). However, we already 
have avoided the 3 in the center by the special cases in step 1. Note that we have 
reduced the number |7^| to 1, because 7^ = {x}, again by the special cases in step 
1. 

(iii) L3 is the centraliser in L2 of an element of order 3. 

(iv) In this step we store the complete set of 4 possible results for together with 
elements of G to conjugate them back to a. So we can reach Ccia) after this step 
with no additional costs. 

(v) a' is from 3C in S.McL. By 3^+^ in Lq we mean a 3-group with an elementary- 
abelian center of order 9 with an elementary-abelian group of order 81 as factor 
group. As in (ii) is the centraliser of a 2A element in S.McL is 3 x (2.^8). However, 
since a' lies in 3C of S.McL, we automatically reach 2.^8. 

(vi) Note (iv) applies analogously. 

(vii) z is an involution in C" := Cs^McLid') = 3^"''''. (2.^45). 

(viii) z' is an element of order 15 in C. 

(ix) The Sylow-3-subgroup is normal, therefore just looking for element orders tests 
membership. 

Notes to Table IIOL The algorithms presented in this paper were implemented for the 
sporadic simple groups above. We used matrix representations of these groups and Ta- 
ble^! contains some average running times in seconds. For each representation, we sifted 
1000 pseudo random elements and the running times are for those 1000 calls to Sift 
on a machine with a Pentium IV processor running at 2.53 GHz with 512 MB of main 
memory. The third column contains the average number of multiplications necessary for 
one call to Sift, including the generation of pseudo random elements. Note that the 
initialization phase of the pseudo random generator (using product replacement) involves 
100 multiplications for every newly generated group object. In all cases the bound for the 
error probability was 1/100. 
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OroiiD 


Time for 1000 calls in seconds 


Av. no. of niults. per call 


Mil ^ ^Liol^^J 


n 8 

U.O 


110 ^^cnain in lapie iiji 




n 7 


10 1 icnain in lauie izii 




9fi 1 
ZU. 1 


1 lu icnain in lauie iii) 


A/f <f C-,\ CW 

will ^ ^L45(^Oj 


'^A 1 
0^. 1 


loo icnain in lauie izii 




9 9 




-'"12 ^ *J'-44l^ZJ 


11 .U 




-'"12 ^ VjLigl^iiJ 


mo 
lu.y 


9'?8 


A/f <^ n (o\ 


9c; 9 


10 ( u 


A/f <^ n (''?'\ 


yo.o 


1 R8c; 

lOoO 


Ir. < C-,\ ^r-O^ 

J2 5% VoL36l,^J 




Qn8 fphain in TnVilpF^ 


J2 ^ GL36(2) 


46.2 


847 (chain in Table IH)) 


J2 ^ GLi4(5) 


32.7 


923 (chain in Table El) 


J2 ^ GLi4(5) 


33.2 


846 (chain in Table IH)) 


HS ^ GL2o(2) 


344.8 


13923 (chain in Table Ej) 


HS ^ GL2o(2) 


77.7 


2783 (chain in Table E)) 


HS ^ GL49(3) 


699.2 


2807 (chain in Table El) 


Ly^GLni(5) 


19835.8 


7416 



Table 10. Timings and number of multiplications for various chains 
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